Skip to main content

User Admin Simplifier

1 CVEs product

Monthly

CVE-2026-11775 MEDIUM This Month

Cross-Site Request Forgery in the User Admin Simplifier WordPress plugin (all versions up to and including 3.0.0) enables unauthenticated remote attackers to permanently delete any user's stored admin menu and admin-bar configuration by tricking a logged-in site administrator into submitting a forged request. The flaw exists because the `useradminsimplifier_options_page` function performs no valid nonce check before invoking `uas_save_admin_options()`, which unconditionally overwrites the `useradminsimplifier_options` database entry. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA's Known Exploited Vulnerabilities catalog.

CSRF WordPress User Admin Simplifier
NVD
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the User Admin Simplifier WordPress plugin (all versions up to and including 3.0.0) enables unauthenticated remote attackers to permanently delete any user's stored admin menu and admin-bar configuration by tricking a logged-in site administrator into submitting a forged request. The flaw exists because the `useradminsimplifier_options_page` function performs no valid nonce check before invoking `uas_save_admin_options()`, which unconditionally overwrites the `useradminsimplifier_options` database entry. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA's Known Exploited Vulnerabilities catalog.

CSRF WordPress User Admin Simplifier
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy